Matthew Jaster, Senior Editor
The International Society of Automation (ISA) defines functional safety as the detection of a potentially dangerous condition that depends on automatic protection or correction to prevent an unwanted consequence or reduce its severity. The automatic protection system is designed to respond appropriately to errors, hardware failures, and operational stressors. When every specified safety function is carried out and meets the set level of performance, functional safety is achieved. For years, many industrial organizations supported simple hardware and software solutions to protect its equipment as well as its workers. However, the increased complexity of components as well as the need for system integration continues to challenge machine designers today.
A history of machine safety
A discussion on the history of machine safety starts with a good, firm barrier. Barriers that simply were put in place on the factory floor to isolate the operator from machine hazards. There were also emergency stop systems that halted the movement of the machine’s operation. Power could be cutoff/shutdown immediately should the need occur.
Christopher Radley, senior product line manager, systems, at Kollmorgen believes these are all viable safety solutions, but they do have downsides as they can halt production, reduce productivity, damage in-process product, and may put the machine in an unpredicted state that leaves the operator exposed to the risk it was intended to address.
“Modern Functional Safety solutions can provide for the continued operation of the machine thus preserving productivity, avoiding in-process product damage and still offer operator safety. These solutions retain the ability to provide emergency stopping when other safety measures are not adequate,” Radley said.
Europe has been a leader in machine safety and creating standardization around machine safety, according to Justin Hillukka, lead mechanical engineer of power transmission and custom products at Nexen.
“Industry standards like ISO 13849-1 have been around for a long time, but within the past 10 years, these standards have been revised and been applied more and more in the industry. Safety standards are utilized increasingly in machine design today,” Hillukka said.
Diagnostics, reliability and machine efficiency
What does functional safety mean to the power transmission market today and how can it improve diagnostics, reliability and machine efficiency?
Radley said that motion control with integrated safety functionality can provide diagnostic information regarding which functionality (e.g. – Safe Stop, Safe Torque Off, etc.) was engaged and when. This lets machine builders and users consider whether something happened that affected the machine mechanics, the operator needs additional training, or there is a material problem that is impacting machine performance.
“Today’s machines are designed to be more reliable than ever. But they still need to be properly maintained. Productivity demands can mean a desire to avoid machine shutdowns for routine maintenance, or at least delaying it. Machine designers can now take advantage of safety functions that let operation continue (function) while still being operated safely- (Functional Safety). Safety functions such as Safe Limited Speed, Safe Direction, and Safe Limited Position provide the ability to work with the functioning machine and maintain the needed operator safety,” Radley added.
Having fail safe, or default to safe position components in a machine is important for addressing risk of danger. “For example, having a Nexsafe Servo Brake mounted to a servo motor allows for the machine to emergency brake to a stop if system power is lost. Condition monitoring is also an important feature of safety systems. Having feedback loops in the controls systems allows the machine controller to know the state of the machine’s safety functions,” Hillukka said.
When performing a safety review on a design, Hillukka said it is required to review diagnostic coverage and reliability. The application risk/performance level will define and require the level of reliability and diagnostic coverage to be robust. A machine that is designed with safety in mind and a safety analysis performed according to standards like ISO 12100 and ISO 13849-1 will have sensor feedback for improved diagnostics, and more robust design for increased reliability.
“Depending upon rated durability of the components in a safety function, and how much risk is associated with the application, the safety function will need to allow for one or multiple faults in the machine before the safety function is compromised,” he added.
The most efficient machine—according to Radley—is the one that is running at top capacity as much of the time as possible. Avoiding unnecessary machine shutdowns when safety cages are opened or light curtains breached, functionally safe systems can continue operating with specific protocols that provide operator safety. This can be particularly important when considering complex machines where a shutdown can entail significant time to reset and restart the machine.
Any customer looking to take advantage of the previously discussed benefits of functional safety when implementing their motion system upgrade will need to perform a risk assessment.
“Risk assessment consists of a series of steps used to examine the hazards associated with machines. It consists of two stages, risk analysis and risk evaluation. The analysis and evaluation are used to make a risk estimation which is carried out for each identified hazard and hazardous situation. With this we can determine the required Safety Integrity Level (SIL) or Performance Level (PL) for the machine. This guides us as to the measures we will take, and the equipment we will use, to meet our required safety/performance level,” Radley said.
Additionally, safety certifications make the task of the risk assessment easier. Knowing that a product that will be part of your machine already meets a defined and certified level (such as SIL2 or PLd for example) makes the assessment teams task faster and more efficient while also improving confidence in the final determination. Having a stated SIL or PL for a given product is the data portion that helps with the risk assessment, however, it is the certification that tells the assessment team that the provided SIL or PL has been reviewed by a competent authority; it is not just the judgement of the supplier, Radley added.
Peace of mind also comes into play for machine builders.
“Safety certifications, like the Functional Safety Certification Nexen received for its Nexsafe products, give an increased level of confidence to the machine builder. They know that the product is held to design, quality, and performance requirements specified by industry standards, and verified by an international recognized certification body. Nexsafe products are evaluated and confirmed by 3rd parted evaluation to meet all requirements for performance levels a thru e and categories B thru 4 per ISO 13849-1,” Hillukka said.
Partnering on functional safety products and equipment
Beyond the obvious ability to supply the motion control products the machine builder needs, there are important considerations in the certification of the products and the equipment partners processes.
For the products, Radley said that the certifications need to be made by a competent, independent, third party such as TÜV.
“It is not enough that the equipment partner judges that they have designed the product to meet the requirement, the machine builder needs and wants that third party certification. It is also important that the equipment partner owns the safety certificate. It is less desirable to have a situation where the product is coming from another supplier and being labeled by the equipment partner. The lack of ownership of the safety certificate can create problems if the machine builder needs anything other than the standard product as changes may not be possible except by the safety certificate owner,” Radley said.
For the processes such as how the product is designed, built, and lifecycle managed Radley said there is also a need for certification. The equipment partner should have certification to IEC 61508-1 to 7, again from a competent, independent, third party such as TÜV. This is important for areas such as traceability for the products. This can be vital in case of an incident or a product recall.
“These certification requirements and processes are resource intensive, time consuming and expensive for equipment partners. Some equipment partners may want to gloss over their unwillingness or inability to make the investment. It is incumbent on the machine builder to ask the hard questions of their candidate partners- show me the certifications for the products, I need to confirm you are the certificate owner, show me your process certification, I’d like to review your process certification. In effect, asking ‘Are you certified by a competent, independent, third party?’ and I want the proof because I’m going to use that in my risk assessment process,” Radley continued.
Automation & the Factory of the Future
Demand for new safety functionality in response to the need for greater automation that maintains or enhances operator safety will increase in the coming years.
“The more we want collaborative work environments with machines and humans directly interacting the more we will demand those work environments be safe and efficient,” Radley said.
Improvements in electronics, and software architecture coupled with reductions in their costs will push more and more functionality to be integrated in the elements the machine must have, such as the motion control, rather than having to add additional hardware to the system.
“When we do need to expand beyond the core hardware the desire will be for standardized network-based solutions such as FailSafe over EtherCAT (FSoE) rather than extensive hardwired approaches, saving time, effort, and cost while making systems more reliable, easier to maintain, and easier to troubleshoot,” Radley said.
Kollmorgen offers a variety of control, drive and motor solutions that support functional safety from simple hardwired Safe Torque Off (STO) to complex implementations that need to bring together more advanced safety functions like Safe Stop, Safe Brake Control and even Safe Dynamic Braking. “These can require careful planning with our OEM machine builders to ensure that our portion works seamlessly with other hardware on the machine. When implementing functions like Safe Limited Speed or Safe Direction it’s important to work closely with these customers to know what their objective is for the function in relation to the machine operation,” he added.
Nexen’s approach has been to be aware how functional safety standards and industry requirements are changing. “Based on these changes over the past few years, Nexen has shifted our focus to provide more safety focused components for machine builders. Nexen is committed to supporting our Nexsafe Functional Safety Certified components and furthering this portfolio of products to support applications outside of the scope of the rail brake, rod lock, and servo brake applications,” said Hillukka.
In the future, sensor feedback requirements for safety and for Industry 4.0 will become the standard. “Especially as factories become more automated,” said Hillukka. “The need for monitoring and diagnosing problems thru internal machine trouble shooting will keep increasing in value.”
All of these safety capabilities come back to making informative design decisions from the very beginning of a machine build.
“It is important to take a holistic view of functional safety beyond the products themselves,” Radley added. “The certification for the products, along with the certification for the design, manufacture, and lifecycle management tests the strength of an organization and builds the process muscle required for the customer’s success.”
www.isa.com www.kollmorgen.com www.nexengroup.com